During a co-existence scenario with a mixed client environment (XP SP2 through 7) we found an issue when Windows XP machines could not log in but Windows 7 clients could. From the client side we saw the following error:
I had the user sign in from a known good machine and everything worked. Since we were sure the credentials were right I decided to take a look at the Event Viewer on the server.
In the server I noticed the following event:
The great thing about this event is the text in the error message is actually very useful. It explains that the 2008 R2 server requires 128-bit encryption and lower level clients have this setting disabled by default.
Cause: This error can occur if the settings in “Network security: Minimum session security for NTLM SSP based (including secure RPC) clients” policy on the client computer are not the same as the settings in the “Network security: Minimum session security for NTLM SSP based (including secure RPC) servers” policy on this server. By default, the “Require 128-bit encryption” setting is disabled for computers running Windows Server 2008, Windows Vista, Windows Server 2003, Windows 2000 Server, or Windows XP. For computers running Windows 7 or Windows Server 2008 R2 this setting is enabled by default.
Because some of the machines in the environment were unmanaged external clients and we didn’t want to impact their productivity, we decided to update the server to allow the lower level clients (XP in this case) to connect.
To view the current settings you can open the “Local Security Policy” snap-in under Administrative Tools on the front end server.
After expanding Local Policies and clicking on Security Options we can scroll down to “Network Security: Minimum security: Minimum session security for NTMP SSP based (including secure RPC) servers” and see the default setting of “Require 128-bit encryption”.
To change this, double click the entry then un-check the box next to “Require 128-bit encryption” and click OK.
After closing the box we now see the modified setting which takes effect immediately and our XP and Vista clients can now sign-in.
My preference was to leave this setting in place, but because there were so many remote clients in place we had to make a change to allow them to work on the server side.